American Public Power Association (APPA) President and CEO Joy Ditto on June 9 sent a letter to Jennifer Easterly, Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) regarding implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
In the letter, Ditto asks for a commitment from Easterly “to take a careful and deliberative process that takes into account existing reporting mandates and to appropriately tailor reporting mandates commensurate with risk to national security.”
Signed into law by President Biden in March, the law requires critical infrastructure entities to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA is directed to publish a notice of proposed rulemaking to implement the reporting requirements within 24 months.
Ditto noted in her letter that the electric sector has mandatory and enforceable federal regulatory standards in place for cyber and physical security. These standards include mandatory reporting of specific cyber incidents to the Department of Energy (DOE) via an Electric Emergency Incident and Disturbance Report and to the North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC).
Outside of these mandatory reporting standards, public power utilities participate in robust voluntary information sharing systems such as the Electric Subsector Coordinating Council and the Electricity Information Sharing and Analysis Center, as well as the Multi-State Information and Sharing Analysis Center.
Moreover, electric utilities worked closely with the National Security Council, DOE, and DHS on the “100 Day Electric Sector Industrial Control Systems Cybersecurity Sprint” to encourage and support utilities’ visibility and monitoring of their industrial control system and operational technology networks, as well as automated sharing into government, Ditto pointed out.
The electric sector “is unique among critical infrastructure sectors in the extent and maturity of existing information sharing regulations and programs,” she wrote. Public power utilities, as units of state and local governments and varying so widely in size and risk profiles, are still more unique.
“Given these complexities, and pursuant to Congress’ expressed intent, it is critical that CISA work directly with our industry’s sector risk management agency, DOE, as well as FERC and NERC, and industry itself, to harmonize, to the maximum extent possible, new reporting mandates and processes with those that already exist.”
In addition, Ditto strongly urged CISA to use “the considerable discretion given to it by Congress in the law to define covered entities for the purposes of mandated reporting of cybersecurity incidents in a risk-based manner.”
As Congress explicitly stated in the law, CISA must define the types of entities that constitute covered entities based on the “consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety,” she said.
“This is of particular importance to public power utilities, as APPA’s members have widely different risk profiles ranging from an electric utility with transmission assets that serves millions of customers to a very small distribution electric utility without an industrial control system serving 200 customers,” wrote Ditto.
She requested a meeting with Easterly and her team leading implementation to discuss the matters raised in the letter in detail.